6th EDPD 2016 - DPO Network · 6th EDPD 2016 Enduring values and sustainable solutions: The GDPR as...

EUROPEAN DATA PROTECTION DAYS6th EDPD 201625th and 26th April 2016 Berlin, Germany

#edpd16 www.edpd-conference.com

ENDURING VALUES AND SUSTAINABLE SOLUTIONS: THE GDPR AS A CATALYST FOR INDIVIDUAL DIGITAL RIGHTS ACROSS THE GLOBE .......................................................................................................................... 5Giovanni Buttarelli, European Data Protection Supervisor

KEYNOTE .................................................................................................................................................................................................................................................................................. 6Julie Brill, Commissioner, Federal Trade Commission, USA

DATA PROTECTION IN A SMART NATION ................................................................................................................................................................................................................ 7Leong Keng Thai, Chairman Personal Data Protection Commission, Singapore

CHANCES, CHALLENGES AND THE LATEST DEVELOPMENTS IN INTERNATIONAL DATA PROTECTION (Panel Discussion) ............................................ 8Julie Brill, Commissioner Federal Trade Commission, USAGiovanni Buttarelli, European Data Protection SupervisorHelen Dixon, Data Protection Commissioner, IrelandLeong Keng Thai, Chairman Personal Data Protection Commission, Singapore

KEYNOTE .................................................................................................................................................................................................................................................................................. 9Isabelle Falque-Pierrotin, Chairwoman of CNIL France and Chairwoman of Article 29 Working Party, France

DATA PROTECTION – LANDSCAPE AND CHALLENGES ..................................................................................................................................................................................10Helen Dixon, Data Protection Commissioner, Ireland

THE GENERAL DATA PROTECTION REGULATION – A BUILDING BLOCK FOR THE DIGITAL CONTINENT ............................................................................... 11Dr Viviane Reding, Former Vice-President of the European Commission, Member of the European Parliament

THE NEW DATA PROTECTION REGULATION – A GLOBAL GOLD STANDARD MADE IN EUROPE ..............................................................................................12Jan Philipp Albrecht, Member of the European Parliament

TRANSPARENCY AND USER CONTROL UNDER THE NEW DATA PROTECTION REGULATION (Discussion Panel)...............................................................13Jan Philipp Albrecht, Member of the European ParliamentManuela Siano, Official at Service for EU and International Matters of the Italian Data Protection AuthorityAxel Voss, Member of the European ParliamentDr Ulrich Wuermeling LL.M., Visiting Professor, Queen Mary University of London, Partner, Latham & Watkins, Germany

THE DAY AFTER – BINDING CORPORATE RULES & EXTERNAL AUDITING.............................................................................................................................................14Gabriela Krader LL.M., Corporate Data Protection Officer, Deutsche Post DHL, Germany

HOW GLOBAL COMPANIES NEED TO ADAPT THEIR PRIVACY AND DATA PROTECTION PROGRAMS IN ORDER TO MEET THE CHANCES AND CHALLENGES OF A CHANGING DATA LANDSCAPE .........................................................................15JoAnn Stonier, Chief Information Governance & Privacy Officer, Mastercard, USA

EUROPEAN DATA PROTECTION DAYS6th EDPD 2016

Table of Contents

DAY ONE – Monday, 25th April 2016

PRIVACY CHALLENGES IN EMERGING TECHNOLOGIES ..................................................................................................................................................................................16Peter Fleischer, Global Privacy Counsel, Google Inc., France

DISCUSSION: PETER FLEISCHER / JOANN STONIER / GABRIELA KRADER LL.M. .................................................................................................................................17

ACCOUNTABILITY: BUILDING TRUST AND CREDIBILITY FOR BUSINESSES, CITIZENS AND REGULATORS .............................................................................18Elizabeth Denham, Information and Privacy Commissioner for British Columbia, Canada

DISCUSSION - ACCOUNTABILITY: THE INTERPLAY BETWEEN PRIVACY, COMPLIANCE AND CSR ..............................................................................................18Elizabeth Denham, Information and Privacy Commissioner for British Columbia, Canada

Laura Juanes Micas, Assistant General Counsel, International Privacy & Human Rights, Yahoo! Inc., USA

Zoe Strickland, Managing Director, Global Chief Privacy Officer, JPMorgan Chase & Co., USA

DAY TWO – Tuesday , 26th April 2016

KEYNOTE ................................................................................................................................................................................................................................................................................19 Ted Dean, Deputy Assistant Secretary for Services, U.S. Department of Commerce, USA

ONE-STOP-SHOP FROM A COMPANY’S PERSPECTIVE ....................................................................................................................................................................................20Dr Jyn Schultze-Melling LL.M., Director for European privacy policy, Facebook Ireland Ltd.

CLOUDS OF THINGS .........................................................................................................................................................................................................................................................21Christopher Millard, Professor of Privacy and Information Law, Centre for Commercial Law Studies, Queen Mary University of London, UK

CLOUD-BASED PERSONALIZED SERVICES: ARE THERE SOME EU TOOLS TO DEMONSTRATE ACCOUNTABILITY? ...........................................................22Marie Charlotte Roques-Bonnet, Director of EMEA Privacy Policy, Microsoft, France

DESIGNING MOBILE APPS WITH PRIVACY IN MIND .........................................................................................................................................................................................22Simon Hania, Vice President Privacy & Security, TomTom, The Netherlands

REDUCING THE IDENTIFIABILITY OF DATA IN ONLINE ADVERTISING AND MEASUREMENT TO STRENGTHEN CONSUMER PRIVACY ...................23Benjamin Hayes, Chief Privacy Officer, Nielsen, USA

DATA RELATIONSHIPS IN B2B .......................................................................................................................................................................................................................................23Kasey Chappelle, Global Privacy Officer and Director of Commercial Compliance, American Express Global Business Travel, UK

CONTROLLER VERSUS PROCESSOR (Discussion Panel) ...................................................................................................................................................................................24 Kasey Chappelle, Global Privacy Officer and Director of Commercial Compliance, American Express Global Business Travel, UKUwe Fiedler, Chief Privacy Officer, Parexel International, GermanyFlorian Thoma, Senior Director Data Privacy, Accenture GmbH, Germany

OPERATIONALIZING PRIVACY BY DESIGN IN A CONNECTED WORLD ....................................................................................................................................................25Anna Pouliou, Executive, Lead Attorney for European Privacy & Data Protection, GE Corporate, Belgium

TELEFÓNICA’S APPROACH TO BIG DATA: A TELCO IN A DIGITAL WORLD .............................................................................................................................................26Stefano Fratta, Legal Director for Consumer, Fintech and Big Data, Telefónica CCDO, Spain

THE CHALLENGE OF BIG DATA FOR DATA PROTECTION: HOW TO ENABLE RESPONSIBLE USE OF BIG DATA (Panel Discussion) .............................27Belinda Doshi, Chief Privacy Officer and Associate General Counsel, Pearson Group, UKStefano Fratta, Legal Director for Consumer, Fintech and Big Data, Telefónica CCDO, SpainChristina Peters, Chief Privacy Officer, IBM Corporation, USAAnna Pouliou, Executive, Lead Attorney for European Privacy & Data Protection, GE Corporate, Belgium

THE IMPLEMENTATION OF THE GDPR IN AN INTERNATIONAL COMPANY ILLUSTRATED BY THE EXAMPLE OF EBAY ........................................................28Dr Anna Zeiter LL.M. Stanford, Head of Data Protection EMEA, eBay International AG, SwitzerlandDr Axel Freiherr von dem Bussche LL.M., Partner, Taylor Wessing, Germany

PROTECTION AND DISCLOSURE: THE CHALLENGES THE GDPR PRESENTS TO THE INSURANCE INDUSTRY ...........................................................................29Orrie Dinstein, Global Privacy Leader, Marsh & McLennan Companies Inc., USANicola Hughes, Legal Counsel, Marsh EMEA, UK

ISO 27018: A LEGAL VACUUM FILLED BY TECHNICAL STANDARDS ...............................................................................................................................................................30Sára Hoffman, Associate, Privacy and Data Protection Practice, Wilson Sonsini Goodrich & Rosati LLP, Belgium

DEMONSTRATING COMPLIANCE ....................................................................................................................................................................................................................................31Lauren Reid, Director of EU Privacy Solutions, Nymity, UK

CONNECTED CARS – HIT THE ROAD, PRIVACY? ......................................................................................................................................................................................................32Ruth Boardman, Co-Head of Bird & Bird‘s International Data Protection Practice, Bird & Bird, UKDr Fabian Niemann, Partner, Bird & Bird, Germany

PREPARING FOR THE GDPR: WHAT YOU NEED TO DO, WHEN YOU NEED TO DO IT .............................................................................................................................33John Bowman, Senior Principal, Promontory Financial Group UK LtdRobert Grosvenor, Director, Privacy & Data Protection Practice, Promontory Financial Group UK Ltd

GLOBAL FRAMEWORKS AND LOCAL LAWS – ASSESSING PRIVACY RISK IN AN EVOLVING WORLD .........................................................................................33Ralph O’Brien, Principal Consultant, EU, TRUSTe, UK

THE ROLE OF DPOS IN THE NEW GDPR ...................................................................................................................................................................................................................... 34Philippe Renaudière, Data Protection Officer, European Commission

REFLECTIONS ON GOVERNANCE: INSIGHTS FROM A DUAL CPO-CCO ........................................................................................................................................................35Hilary M. Wandall, Associate Vice President, Compliance & Chief Privacy Officer Merck & Co. Inc., USA

PRIVACY IN LATIN AMERICA – AN OVERVIEWLaura Juanes Micas, Assistant General Counsel, International Privacy & Human Rights, Yahoo! Inc., USA

DATA PRIVACY LAW IN THE ASEAN ECONOMIC COMMUNITY – THE DAWN OF A NEW AGE .........................................................................................................36Steve Tan, Partner, Deputy Head Technology, Media, Telecommunications, Rajah & Tann Singapore LLP, Singapore

APPROPRIATELY ADDRESS YOUR DATA-RELATED CONCERNS IN CHINA ...................................................................................................................................................36Leon C.G. Liu, Partner, Attorney at Law, MWE China Law Offices, China

NEW RUSSIAN LAWS ON DATA LOCALIZATION ......................................................................................................................................................................................................37Ksenia Koroleva, Lawyer, Latham & Watkins LLP Moscow, Russia

EU-US PRIVACY SHIELD: .......................................................................................................................................................................................................................................................37 Laura De Boel, Senior Associate, Privacy and Data Protection Practice Avocat/Advocaat, Member of the Brussels Bar Wilson Sonsini Goodrich & Rosati, LLP

5

EUROPEAN DATA PROTECTION DAYS6th EDPD 2016Enduring values and sustainable solutions: The GDPR as a catalyst for individual digital rights across the globe

Giovanni Buttarelli European Data Protection Supervisor

DAY ONEMonday, 25th April 2016

While the General Data Protection Regulation might not be a per-fect legal instrument, it is the best provision that could be achieved to-day. It relieves data processors of the onerous burden of notifying for every single processing operation, while providing to data subjects more accountability as well as, more transparency and enforces both through stiff penalties for non-compliance. Peter Fleischer of Google once said, that Google’s worst nightmare would be EU rules with US enforcement. Through the General Data Protection Regulation, Data Protection Authorities are now vested with more powers, but also are required to work more efficiently and predictably. In general, the Regulation provides much more flexibility than it appears initially: Instead of rigid regulation, it boosts best practices guidelines for many aspects of law. Such flexibility is clearly required if the new European Data Protection Board is supposed to keep up with rapid developments of new technologies. Additionally, antitrust authorities can no longer ignore the effects of data and their potentially distorting impact. The European Data Protection Supervisor has also started notifying all EU institutions of the new requirements and that they naturally also apply to them. Finally, the Court of Justice of the European Union has taken a strong stance towards applying close scrutiny to national data protec-tion laws. The terrorists attacks in Paris and Brussels were not a problem of too little information – after all, the information on the terrorist was available – but a problem of too little action. One of the new challen-ges on the horizon is the conflict between law enforcement and data protection. This stands also at the heart of the conflict over the new EU-US Privacy Shield. The Article 20 Working Party has raised serious concerns over the Privacy Shield and asked the Question “Where do we go from here”? It appears to be clear that great improvements are need and it seems unlikely that the current negotiations are the last word on the matter.

It is not unlikely that the EU-US Privacy Shield agreement is being changed and talks are opened up again, amendments could come from any side – the US or the EU – but the priority should be to reach a robust solution, not a solution at any cost.

With regard to Big Data and Antitrust, Antitrust authorities have finally started to understand the big data much better and to realise its importance. The European Data Protection Supervisor does not inter-fere with their investigations but the element of power in ‘free’ services should not be underestimated. Nevertheless, data protection may not be instrumentalized to achieve results which could not be achieved by antitrust law.

With regard to small and medium sized enterprises or public administrations the challenge is how investment on data protection can be understood not as another cost-raising regulation without any benefit in return. In this regard, Data Protection Authorities should help companies work better through privacy by design and experience has shown that after fighting regulation at first, companies eventually arrange with regulations.

6

KEYNOTE by: Julie Brill

Julie BrillCommissioner, Federal Trade Commission, USA

Nowadays, almost everything is connected: 25 Billion devices are connected today and in four years, this will be 50 Billion. All of this data has a dual nature regarding the individual user but also society in general. Fitness data can track its user to motivate to do more sports but also enables researchers to study the population. Data from con-nected cars can help us reach our goals faster, will also enabling policy-makers to tailor public traffic policies to citizens’ needs. Keeping such personal data private and secure is vital to this industry, thus the new data-driven economy can be called the ‘trust economy’. Data flows are nowadays global but the US privacy framework is significantlydifferent to the EU system. Instead of a general law for data protec-tion, there are specific rules to protect information about children, credits data, student data etc. Gaps in this sector specific regulation can be filled by the Federal Trade Commission’s authority to pursue unfair and deceptive trade practices or through state legislation. The new EU-US Privacy Shield is advancement over the old Safe Harbour agreement in that it provides strong and clear guidance on the issue of national security and provides EU citizens with – exclusive – access to US courts and the Ombudsperson. Not only are US companies sub-ject to the requirement of obtaining affirmative consent but the pro-tection levels are extended to include contract partners. The EU-US Privacy Shield, with its Department of Commerce oversight, should be deemed to provide adequate protection. On the other hand, a much more important issue has been neglected: The General Data Pro-tection Regulation. One of its goals is to set global data protection stan-dards and interestingly, the majority of its principles has found inspi-ration in US law. The standard of data security in the US is ‘reasonable security’ which is ensured through an ongoing process of risk-based assessment. Some of these US-inspired principles, however, have been controversially implemented in the EU: For instance, The General Data Protection Regulation requires breach notifications within 72 hours which can impose problems on the company and law enforcement when an ongoing breach needs to remain active in order to investigate the breach. In many other regards we should be satisfied that these two regimes are converging. We see a movement towards a globally converging regime of data protection.

7

As a highly connected island state, it is Singapore’s vision to be the world’s first ‘smart nation’. Using Big Data from areas such as urban planning to the Internet of things, authorities can become more efficient and better meet its citizens needs. Examples include big data computing in public transport to generate a predictive heat-map with assessment of commuters’ demand. Another would be a map of elderly citizens and their need for pedestrian bridges. The challenge is to spur the progress of a whole nation without compromising the trust people have in these services. A case in point is obtaining informed consent with increasing amounts of collected data while future uses of this data remain impossible to envision. Singapore’s Personal Data Protection Commission believes that data sharing should be encouraged to create a superior, interconnected lifestyle. Most if Singapore’s data protection law is based on reasonableness as the decisive criterion to allow for a certain degree of flexibility: Under certain circumstances, actual con-sent can be substituted (e.g. research) and under others, obtaining

Data Protection in a Smart Nation

Leong Keng ThaiChairman, Personal Data Protection Commission, Singapore

express consent is not necessary at all (e.g. for historical and statistical purposes). Instead of privacy-by-design, Singapore’s philosophy could be described as ‘trust-by-design’. On its way to a smart nation, the role of data protection in the ‘trust-hub’ Singapore is two-fold: Firstly, to ensure protection for the individual and their data and second, to spur the use of data for the betterment of society as a whole. Proper Data Governance should encourage data sharing under a trusted framework.

8

Julie Brill, Commissioner, Federal Trade Commission, USA Giovanni Buttarelli, European Data Protection SupervisorHelen Dixon, Data Protection Commissioner, IrelandLeong Keng Thai, Chairman, Personal Data Protection Commission, Singapore

Chances, challenges and the latest developments in international data protection (Panel Discussion)

Buttarelli: The importance of Data Protection Authorities in the fourth industrial revolution will increase since they gain more inde-pendence through the General Data Protection Regulation. Even without the possibility of physically meeting in Brussels, they need to co-operate closely and to communicate better with the citizens to speak as one voice in the EU.

Dixon: In the main question, whether the role of Data Protection Authorities encompasses only to regulate the entities falling under their mandate or also ensuring adequate use of the data, the Court of Justice of the European Union in the Schrems-case has guided Data Protection Authorities so that they have too consider every compliant without the possibility of dismissing complaints based on the risk-based approach.

Brill: While the Court of Justice of the European Union has directed national Data Protection Authorities to respond to every claim, the Federal Trade Commission has a much wider mandate including consume protection law and competition law. It is organising ‘safe space’ group meetings for issues which consumers never see, but which deeply affect them: cross-device tracking, data brokers, FinTech, drones, ransomware, smart-tv and listening devices. The role of Data Protection Authorities is to ensure that technology is developing in a data-protective way.

Leong: Public policies should not impede the potential of techno-logies. The charter of many Singapore agencies mentions not only pro-moting data protection but also promoting technology. Enforcement actions are meant to correct misbehaviour but not scare companies off from using big data.

Buttarelli: Contrary to the Federal Trade Commission’s practice, the Article 29 Working Party has not held workshops or invited stake-holders. The new European Data Protection Board needs to practice an open approach and to integrate vertically with engineers in order to create a more future-oriented board which better understands the benefits of big data.

Dixon: However, while the name of the agency has changed from Article 29 Working Party to European Data Protection Board, the people on this board remain the same. The behaviour of such a body ultimately depends on the individuals in it and useful knowledge from the industry is included through expert groups but only to some extent.

Buttarelli: The board needs more IT and legal expertise and to be more accessible to the public. For this, a new generation of Commissioners is in place to bring fresh air to the board. Currently, a third-party country, with the support of an EU country, is pushing strong to include exceptions based on national security into the framework.

Buttarelli: The question on how sanctions should be calculated is high on the list of priorities of the Article 29 Working Party. These need to be reasonable and scalable.

9

Dixon: The procedure for administrative fining under the General Data Protection Regulation includes safeguards for both the authority imposing the fine and the regulated entities. After a Data Protection Authority has imposed a fine, the courts will be tasked to confirm it.

Brill: Company size is only one factor when setting fines, sensi-tivity of the data is another. Also, whether the company has ignored warning signs or had Past violations.

With regard to breach notifications in cases where the authori-ties are conducting criminal investigations, it might be necessary to postpone the notification of the public, The European Data Protection Board can decide to do so even under Article 33 GDPR.

With regard to the EU-US Privacy Shield, the ‘adequate level of protection’ means ‘essentially equivalent protection’ and needs to be re-interpreted in light of the Court of Justice of the European Union’s decision in Schrems. The Safe Harbour Agreement was solely focussing on the commercial side and only at the end did the US innocently ask to include a national security exception. A process of ongoing review shall allow for small adjustments and prevent big shocks, the future of the EU-US Privacy Shield will also determine the question which role the EU wants to play in the world. But for the time being, the other mechanisms such as Binding Corporate Rules and Model Contracts are not affected by the Schrems decis

The General Data Protection Regulation will change our legal sys-tem. The Article 29 Working Party’s action plan sets out the priorities for 2016 with regard to facilitating the transition to this new legal system. These includes: Clarification and simplification regarding the new regime. The cooperation between Data Protection Authorities is as im-portant for this to work as the European Data Protection Board. This coo-peration achieves a decentralised, integrated enforcement framework.

Isabelle Falque-PierrotinChairwoman of CNIL (France) and Chairwoman of Article 29 Working Party, France

KEYNOTE by Isabelle Falque-Pierrotin

With regard to the EU-US Privacy Shield, it should be noted that the agreement means a big step forward and provides many advan-tages for Europeans over the Safe Harbour Agreement. At the same time, there is still potential for improvement when it comes to onwards-transfers, legal redress mechanisms, public security exceptions and the independence of the Ombudsperson.

View the full keynote here: https://www.youtube.com/watch?v=uo0Fic9wyeI

10

Helen DixonData Protection Commissioner, Ireland

Data protection – landscape and challenges

In one instance, this has led to the non-implementation of revised global privacy policy and several improvements for the users. When prosecution is either impossible or undesirable, consultations have been effective at influencing company behaviour. The General Data Protection Regulation will allow for more effective and more propor-tionate enforcement through a wider catalogue of offences and admi-nistrative fines.

In order to perform all of their functions, European Data Protection Authorities need to cooperate in a smarter way. While they remain as in-dependent regulators, the General Data Protection Regulation will bring them together in new ways and they need to trust and work together for this to function. Various in-house counsels have expressed enormous concerns over what certain provisions in the new regulation mean in practice and how reasonably these will be applied, especially with re-gard to the transition process. Data protection is a high-level issue and flexible enough to wrap around the changes society undergoes.

10

Data protection as a principle-based legal regime always requires interpretation. We can see that data protection does not have to ge-nerically refuse data processing but can be permissive and enabling. The ECtHR judgement in Bărbulescu v Romania and the CJEU decision in the Bara confirm that the devil lies in the detail. Painting the world in black and white is too simple for such a complex issue. A case in point the care.data project of the NHS, which was intended to serve the public good by making patient data available for research. While it met all formal compliance requirements, it was in breach of a ‘social license’ by also commercialising this information.

While a majority of the population just wants to feel safe, the role of Data Protection Authority usually consists of three major parts: Supervision, Consultation and Cooperation.

Supervision starts with hearing individual complaints, even the insignificant ones at whose core lies not a data protection issue but the breakdown of an employment contract, a divorce or a fight against home foreclosure through a bank. It’s supervisory role does not end there however, it also includes driving complaints by organisations, audit inspections and enforcement actions.

Consultations with entities regulated by the Irish Data Protection Authority has been a priority. Despite relatively few individual com-plaints against the big multinational companies, the authorities have made it a priority and allocated resources towards consulting them.

11

Dr Viviane RedingFormer Vice-President of the European CommissionMember of the European Parliament

The General Data Protection Regulation – a building block for the digital continent

After years of forming and legislating, against fierce lobbying, the General Data Protection Regulation will be the cornerstone of Europe’s digital future. Finally, the basic right to privacy - as enshrined in the Charter of Fundamental Rights – will be implemented Europe-wide: one continent, one law. The building of a common Europe was an answer to centuries of wars, wars which had little consideration for individual rights. Consequentially, these rights became the foun-ding rights of the European Union. Before the background of decades of dictatorships in Eastern Europe, the 1995 Data Protection Directive was a statement against mass surveillance long before the digital revolution. While technologies advanced over the next two decades, regulation did not keep up. By 2011, 70% of European citizens were concerned that their personal data could be used for a different pur-pose than what they were collected for. In order to restore the citizens confidence into the data economy, the EU planned to provide a strong regulatory framework while ending the balkanisation of data protec-tion rules. Privacy and Security go hand-in-hand in this matter. After two years and 4000 amendments, the regulation passed the European Parliament after the revelations of whistle-blower Edward Snowden. Negotiations in the European Council were no less contentious and by

the time the European Council had agree on a position the draft had been distorted through exemptions. Eventually, a carefully brokered deal combined the General Data Protection Regulation with the Police Directive (Data Protection Directive). Against all odds, this historic deal was achieved and now needs to be continuously defended, especial-ly by including these state-of-the-art data protection mechanisms in trade negotiations. Trade agreements are the venues where the global race for standards is going to take place. With extraterritoriality, anti-FISA clauses and fines of up to 4% of global turnover the regulation has teeth to enforce compliance. With regard to the EU-US Privacy Shield, water tight guarantees of intelligence services and proportio-nality rules are still missing. If Europe should lead in the digital era, it should occupy the high ground and establish a digital single market. In -5 to to do, new goals are set: Investing in the digital infrastructure, creating a unified telecommunications market with unified rules and one single regulator and a capital market union to simplify access to venture capital for start-ups. When it comes to monitoring, however, proximi-ty is central. Having national Data Protection Agencies supervising the compliance with unified European law is a great advantage.

Negotiations in the European Council were no less contentious and by Shield, water tight guarantees of intelligence services and proportio-nality rules are still missing. If Europe should lead in the digital era, it should occupy the high ground and establish a digital single market. In -5 to to do, new goals are set: Investing in the digital infrastructure, creating a unified telecommunications market with unified rules and one single regulator and a capital market union to simplify access to venture capital for start-ups. When it comes to monitoring, however, proximi-ty is central. Having national Data Protection Agencies supervising the compliance with unified European law is a great advantage.

12

Jan Philipp AlbrechtMember of the European Parliament

The new data protection regulation – a global gold standard made in Europe

The General Data protection Regulation is a step forward not only for European, but global standards. It combines good European data protection with good US enforcement but multinational companies should not fear this combination because it is empowering companies and everyone else and it it will not make conducting business more difficult. Like the green revolution, the digital revolution will raise awareness and responsibility and will, eventually, be embraced by the economy. If a company wants to succeed in tomorrow’s digital economy, it needs to provide good data protection. The transition from an economy based on money as consideration to an economy partially based on data as consideration needs to be accompanied by a transition of trust. Such a trust requires user control over their data and the option to opt-out of the usage of personal data. This includes transparency on negotiations regarding legislation/trade agreements.

If legislators fail to ensure the trust into this new type of economy, peo-ple will push towards a step back, away from the data economy and will try to harbour personal data. Currently, it does not look like tran-satlantic developments allow for enough transparency. This could, ho-wever, be turned into a win-win situation by empowering citizens and reducing bureaucracy for companies.

The General Data Protection Regulation was also the best means of preventing the Balkanisation through unified rules.

International Agreements on data protection and privacy can be seen as a bridge between two jurisdictions. This bridge, however, requires to solid fundaments in order to stand the test of time.

13

Jan Philipp Albrecht, Member of the European ParliamentManuela Siano, Official at Service for EU and International Matters of the Italian Data Protection AuthorityAxel Voss, Member of the European ParliamentDr Ulrich Wuermeling LL.M., Visiting Professor, Queen Mary University of London, Partner, Latham & Watkins, Germany

Transparency and user control under the new data protection regulation (Panel Discussion)

Siano: In times of overly broad data protection policy notifications, these notifications cannot be seen as true substitutes for transparency. A multi-layered approach might be necessary to prevent ‘notification fatigue’. Also icons could be used to make certain information easier accessible. The General Data Protection Regulation picks up these issues and provides for provisions to transplant these ideas. These flexible rules, combined with the guidance from the European Board of Data Protection is the framework for Data Protection Authorities and companies.

Voss: The General Data Protection Regulation is a step forward from the 1995 Data Protection Directive. At the same time, aspects such as the reliance on consent are contentious. Users will consent to anything without reading these legal notices. Concepts such as trans-parency and information are good but limited when it comes to pro-tection consumers. Not only because of the problem of too much data, but in connection with the whole notion of smart homes.

Wuermeling: As with any EU law, the European Court of Justice will be tasked with interpreting the law since the European Data Protection Board can only issue guidance without binding legal effect. Companies need to actively shape privacy policies. It must be questi-oned whether consent really is the vital aspect of data protection

Albrecht: The notion of consent is not outdated, it is the concept the citizens of Europe chose when drafting the Treaty of Lisbon and the Charta of Fundamental Rights of the European Union. The notion of consent should not be seen in a formalistic view but rather as the con-cept of treating consumes and users as subjects of the law, not mere objects. Companies that value their consumes will not try to somehow circumvent the requirement of consent but make it meaningful again by ensuring that informed consent for all data processing is obtained.

Against a situation in which users are used to consenting to everything, stronger transparency should not mean just longer privacy policy notifications. Instead, the framework of obtaining informed con-sent needs to be improved.

Voss: Old structures cannot answer problems posed by the digi-tal revolution. While consent is only one justification for data proces-sing among several, it is the most important one. Privacy-by-design or privacy-by-default can be meaningful tools to protect consumers.

the citizens of Europe chose when drafting the Treaty of Lisbon and the Charta of Fundamental Rights of the European Union. The notion of consent should not be seen in a formalistic view but rather as the con-cept of treating consumes and users as subjects of the law, not mere objects. Companies that value their consumes will not try to somehow circumvent the requirement of consent but make it meaningful again by ensuring that informed consent for all data processing is obtained.

everything, stronger transparency should not mean just longer privacy policy notifications. Instead, the framework of obtaining informed con-sent needs to be improved.

14

Gabriela Krader LL.M., Corporate Data Protection Officer, Deutsche Post DHL, Germany

The day after – Binding Corporate Rules & external auditing

Ms. Krader, Corporate Data Protection Officer at Deutsche Post DHL Group, started by emphasizing that Binding Corporate Rules (BCRs) have finally found a very prominent place in the General Data Protection Regulation (GDPR). More than in the past, enterprises will benefit from putting in place BCRs and will see much more stimulation to adopt BCRs. While the approval of the BCRs by the data protection authority (DPA) is certainly an important milestone, Ms. Krader focused on “the day after”, meaning: what happens after BCRs have been ap-proved and are being put in place. Most importantly, there will be an audit by the DPA in order to verify the implementation of the BCRs and enterprises have to prepare appropriately for such audit. Audits are a fixed component of the BCR process, as stated in the Article 29 Working Party’s WP 153, and now Art. 47 of the GDPR. It is one of the challen-ges of the data protection officer to create an awareness on the side of the management how serious this issue is. Ms. Krader then presented helpful observations regarding her own experiences with the imple-mentation of BCRs being audited by the DPA. Generally, auditing the BCR implementation is broader than most audits as it pertains to the company’s overall data protection management. The audit will most likely be structured in four phases: (1) the kick-off (analyze focus of DPA

request, draft a work plan, identify and align with stakeholders), (2) submitting documentation to the DPA (business overview, implemen-tation of BCR requirements, data flows), (3) the DPA conducting inter-views, and (4) the on-site inspection. The focus of the DPA may vary but some core elements will most likely always be checked, e.g., whether the BCRs are legally binding on all legal entities and the company’s re-porting organization (i.e., can the data processing team report directly to the highest management level (reporting organizations). The DPA will also ask for statistics so relevant metrics should be collected an-ticipatory. Ms. Krader then shared some practical lessons learned for those who are internally responsible for preparing such a process: You have to count on your management and take sufficient time to create a controlled process; the focus of the DPA’s request should be carefully analyzed and reflected in the internal work plan; for interviews business representatives need to be appropriately selected and prepared; allo-cate responsibilities: you need the support of your business, the data protection department can’t do it on its own; spend sufficient time on the overview of data flows as it is difficult to present such a complex topic in a clear way.

15

JoAnn Stonier, Chief Information Governance & Privacy Officer, Mastercard, USA

How global companies need to adapt their privacy and data protection programs in order to meet the chances and challenges of a changing data landscape

Ms. Stonier in her presentation cast light on the different areas of responsibilities that may be part of an effective “privacy” program in large organizations. She started by presenting the changing environ-ment in which technology companies such as MasterCard are opera-ting. In particular internet of things products are rapidly evolving in the payment processing area, which she illustrated among other things with a “Smart Fridge”, co-developed by MasterCard. The Smart Fridge detects which supplies are used up and permits the user to immedi-ately order and pay for such products via a screen on the fridge. The changes in the regulatory environment of technology products are as challenging as the technological development itself as regulation often struggles to catch up with these developments, which leads to regulation often applying to changes that already occurred in the past. Ms. Stonier then went on to describe her role as Chief Information

Governance & Privacy Officer. She pointed out that her and her team’s role is far more than providing privacy advice and outlined such role by using the three terms “Regulatory”, “Technology” and “Product Strategy”. “Regulatory” meaning activities such as engaging in dialo-gues with the regulators and identifying compliance requirements. “Technology” meaning translating regulatory requirements into the right technology (e.g., identifying system requirements necessary for legal compliance). “Product Strategy” meaning helping the designers to design products in line with legal requirements (e.g., ensuring data compliance as part of product design and identifying and managing risks related to new data combinations). These different facets of Ms. Stonier role make it clear that much more skills than just legal expertise are needed. The worst place to be is the “valley of no” as the products do not get done. The privacy professional must see him- or herself as a business enabler who also creates new data driven ideas within the company. Furthermore, fostering communication is key. The issues that pop up in one product group are likely to arise in others as well, so exchange of information is important. Compliance with privacy rules not only needs to be embedded in the technology (e.g., privacy by design) but also in the company’s infrastructure and risk management. In this regard, Ms. Stonier pointed to a new tool that has been introduced at MasterCard: the information governance council. It is designed to solve arising problems fast by quickly creating relevant working groups, collecting information, deciding, and naming a champion to audit the implementation. Ms. Stonier ended lightheartedly by emphasizing how formidable albeit challenging the described job is.

16

Peter Fleischer, Global Privacy Counsel, Google Inc., France

Privacy Challenges in Emerging Technologies

Mr. Fleischer, Global Privacy Counsel at Google, started by poin-ting out that data is key to what Google does, as the group’s business is heavily data driven. Hundreds of millions of people are using Google’s “Privacy Checkup”, where the user can make a vast number of choices related to personal information (e.g., regarding location data, interest based ads, portability or a data trusteeship). Mr. Fleischer also pointed to the Google transparency reports, which are a good tool to show what people care about in the Internet. After some general remarks on the

new General Data Protection Regulation (in particular that companies should start establishing compliance now and not wait until 2018), Mr. Fleischer turned to current challenges for technology companies like Google. One of the biggest challenges is the international applicabili-ty of laws, a very specific Google-related example of course being the right to be forgotten. To comply with the laws of the countries in which a company does business sounds easy, but is challenging for compa-nies offering global services. For example, while some information can be taken down everywhere (e.g., material relating to child abuse or copyright infringement), it may be challenging to determine in which country a court-mandated takedown of a clip that, e.g., makes fun of a head of state, should be implemented. In this regard, the current ap-peal against the French data protection authority’s order (trying to force Google to broaden its application of Europe’s “right to be forgotten” law) is a matter of principle for Google. If the French order would stand, the Internet would be only be as free as the least free place on earth. Differences in data privacy regulations is also a challenge when using cloud technology where data is moving between data centers all over the world based on algorithms. Moving on, Mr. Fleischer turned to the hot topic of machine learning. With deep learning and big data analy-tics technology, machines sometimes have more “knowledge” about a certain person that the owner or manufacturer of the machine (e.g., by analyzing billions of photos, a computer can quite precisely guess the location of a photo, which a human cannot). This development may have an influence on the concept of the “data controller”.

17

Discussion: Peter Fleischer / JoAnn Stonier / Gabriela Krader LL.M.

In the discussion part, the panelists picked up the discussion on machine learning after being asked in which cases it would be appro-priate to assume responsibility for innovations of the manufacturer. Mr. Fleischer pointed out that the question will become: Will I be held accountable for something I do not really control? Ms. Stonier added that regarding transparency, because of the increasing complexity of the underlying technology, it is no longer possible to explain every step. More important is to describe what information will be used, and for what purposes. Other issues that came up were negative profiling (the determination whether profiling is “negative” should be made on a risk based approach) and chatbots.

18

Elizabeth DenhamInformation and Privacy Commissioner for British Columbia, Canada

Accountability: Building trust andcredibility for businesses, citizens and regulators

In her presentation, Ms. Denham did a deep dive into the issue of accountability as means of acting legally and ethically responsible, and charted the rise of accountability in the awareness of both the regu-lators and the companies. The Information and Privacy Commissioner for British Columbia, along with some colleagues, develop a guideline (Getting Accountability Right with a Privacy Management Program) that outlines the Commissioner’s perspective on accountability, the key being the implementation of an appropriate privacy management

In the discussion on accountability and compliance, a big portion of the discussion was focused on the issue of trust, and how to create trust. As one participant put it: We need more trust by design than privacy by design. In this regard, the relevance of certificates and a privacy seal was discussed. While in some countries (such as Japan), certificates are already established, in the EU this approach still seems to be in its beginnings. There was agreement that incentives to use such tools should be created. Coming back to accountability, Ms. Denham pointed out that accountability is hard to “sell” internally to a whole

organization, so the privacy professional needs to be a good communi-cator and storyteller. A critical point was raised in connection with “fear” being created by the new General Data Protection Regulation, e.g., due to the new sanctions regime or the role of the data protection officer as policeman of the organization. Chase & Co., USA

Discussion - Accountability: the interplay between privacy, compliance and CSR

program. The Canadian document is a blueprint for organizations how to set up accountability by implementing organizational commitment, program controls and a review plan. Since this paper was published in 2012, several other data protection authorities have published similar papers. According to Ms. Denham, implementing accountability in an organization requires an upfront investment in privacy. The incentives, however, are many. Accountability is not just about simply complying with the law, it is important to strengthen client relations (breaking their trust means you lose their business). Accountability is not just about better record keeping, it is about addressing the risk of failing to see and connect the dots in a systematic way. Accountability therefore needs be woven into the organizations entire processes and systems. After Ms. Denham presentation, a participant agreed and stated that out of the Canadian model on accountability, a global approach emerged.

Elizabeth Denham, Information and Privacy Commissioner for British Columbia, CanadaLaura Juanes Micas, Assistant General Counsel, International Privacy & Human Rights, Yahoo! Inc., USAZoe Strickland, Managing Director, Global Chief Privacy Officer, JPMorgan Chase & Co., USA

19

EUROPEAN DATA PROTECTION DAYS6th EDPD 2016KEYNOTE by Ted Dean

Ted DeanDeputy Assistant Secretary for Services, U.S. Department of Commerce, USA

DAY TWOTuesday, 26th April 2016

The importance the US delegation‘s attendance to the Hannover Fair and the EU-US Privacy Shield are testament to the importance of Germany and the EU to the US. The EU-US Privacy Shield is not only about some few large social networks and search engines but about the core of the trust economy. Trust is the most important resource in this industry but also mundane data from warranties, safety data or data from the internet of things required the EU-US Privacy Shield. It is our belief that the Privacy Shield will function as expected and will be deemed adequate. The two basic findings of the Court of Justice of the European Union in Schrems were Data Protection Agencies are not restricted by the adequacy-determination and that the European Commission’s adequacy determination was flawed since it did not take national security exceptions into account. These exceptions could be harmful to citizens if they were employed in a totalitarian country without the rule of law but not in the US. The Court of Justice of the European Union in Schrems did, however, not conclude whether com-panies lived up to the principles of EU data protection or whether US governmental access to private data fails to meet EU privacy standards.

Highlights of the new EU-US Privacy Shield include: new notice system, deadline to respond to EU complaints, free alternative dispute resolution and the extension of all these rules to all sub-contractors. For the process of certification under the EU-US Privacy Shield, ongoing oversight over certified providers and transparency of the program are extremely important along with the question of redress. Multiple uncomplicated ways to file complaints, seek court remedies, medi-ation or address the Ombudsperson have been put into place. The Ombudsperson has another toolbox at his/her disposal such as referral to the independent inspector general. Such a wealth of options should not be seen as a confusion but rather as multiple ways for multiple dif-ferent types of problems or complaints. In terms of the timing of the EU-US Privacy Shield, the envisioned date is June.

20

Dr Jyn Schultze-Melling LL.M.Director for European privacy policy, Facebook Ireland Ltd.

One-stop-shop from a company’s perspective

The idea of a one-stop-shop was meant to make things easier: One company, one member state, one stop to the shop. Despite this pre-mise, it quickly attracted criticism for the potential of forum shopping and for concerns over citizens’ access to Data Protection Authorities. The European Parliament eventually led the development away from the one-stop-shop. The European Council agreed that every European citizen had to have access to their own Data Protection Authority when wishing to lodge a complaint. In order to bundle all these requi-rements, the final procedure includes the local authority (responsible for the citizen who wants to complain), the lead authority (regulating the entity that is allegedly violating data protection laws) and concer-ned authorities (whose views should be given utmost consideration). The corporate world will have to interact closer with the world of Data Protection Authorities and will soon figure out which of them under-stand their role not only as regulators but also as enablers. Other Data Protection Authorities might take a more reactive approach, either by interpreting their mandate differently or because they lack funding or staffing for further tasks. Companies can avoid traps by focusing on their privacy risk management and a privacy-by-design approach. In any case, for this approach to work it will take the cooperation both between the different Data Protection Authorities and between the DPA-Community and the industry and other stakeholders.

21

Christopher MillardProfessor of Privacy and Information Law Centre for Commercial Law Studies, Queen Mary University of London, UK

Clouds of things

The ‘Cloud of Things’ describes a combination of cloud compu-ting and the internet of things. Most ‘connected things’ are not directly connected but instead through multiple cloud instances. It is estimated that by 2020, between 20 – 100 billion things are connected through the internet. Unlike traditional cloud computing, there is no exact taxo-nomy comparable to the NIST taxonomy (IaaS, PaaS, SaaS etc.). Without including ‘virtual things’ such a taxonomy could consist of physical entities capable of connectivity with a direct interface to the real world, whether they are attached, embedded or composite. These composite ‘things’ range from a few (smartphone) to 30.000 connected things in one thing (oil rig). Something remains a ‘connected thing’ if it is tem-porarily disconnected. When it comes to the three top issues in the cloud of things, confidentiality, integrity and authentication of data (CIA), these issues are currently mostly only attached together with the connectivity of the device to the thing but this raises the question of who is responsible for ensure these three basic concepts with the thing. This becomes essential when security breaches of connected things have real-life consequences. One industry might be especially affected by this development: The insurance industry will have to work on their policies of to what degree they compensate for harm derived from connected things. Things get even trickier when personal data is involved and almost any machine data can have a personal aspect and thus be personal data. All of these issus need to be viewed under the legal regime of

the General Data Protection Regulation. Transparency of consent poses practical problem to the cloud of things while the principle of data minimisation and purpose limitation flies in the face of the ideas of scale and big data per se. Furthermore, the justification of ‘legitimate interest will fail in many instances, especially where a child is the data subject. The same question of responsibility arises in connection with Data Protection Impact Assessments under the General Data Protection Regulation. A possible solution could lie in privacy-by-design solutions. What is still unclear is how the new instruments of data portability and access to user data will be dealt with in connected things, espe-cially where such data cannot be disconnected from personal data of other persons. Along with this, other legal questions arising will be the obligation to keep devices up to date, communications between several connected devices from different manufacturers and changes to the terms and conditions and privacy policies.

22

Marie Charlotte Roques-BonnetDirector of EMEA Privacy Policy, Microsoft, France

Cloud-based personalized services: are there some EU tools to demonstrate accountability?

The right to privacy and protected data cannot end at national borders but needs to be ensured in international data transfers. The two years that companies have to adopt the new rules of the General Data Protection Regulation is not a lot when it comes to creating ac-countability and being able to demonstrate this accountability. New challenges include the risk-based approach, the documentation to sa-tisfy the European Data Protection Authorities, Cross-EU investigations and the cooperation with the lead Data Protection Authority. Especially with regard to the limitations of purpose, data minimisation and legi-timate interest, it remains to be seen whether the assessment of the company concerned corresponds to the assessment of the users and Data Protection Authorities. One way of ensuring this, is to chose opt-in approaches wherever possible. Two main principles to guide Data Protection Officers are transparency and control. With all the tools at their disposal (Certification, Codes of Conduct, Seals, Life-Cycle Risk-

When designing data sensitive products, clarity and not transpar-ency is the goal when informing your customers. When the product you are designing is an application, the build-in privacy notifications of the App Stores do usually not meet the requirements of informed consent. The permissions required by the operating system is only one aspect, the consent for data processing is an entirely different one and the EU requirements regarding ‘cookies’ in the e-Privacy Directive is yet another aspect to which users have to consent. The next question would be how to best present the necessary information to consu-mers. Ideally, the user expresses his/her consent freely, withdrawable and affirmatively, after being informed about the specific purposes and granular uses and this needs to be renewed periodically. A fair offer

Based Approach monitoring, Privacy-by-design, etc.) the question arises whether a selective or cumulative deployment is the most reasonable strategy. Companies need to consider all the European tools available to them and update their policies when new tools are introduced or others declared invalid. The new EU-US Privacy Shield is a case in point. It’s four pillars (Full commercial oversight, transpa-rent US government access, 3 steps of enforcement and annual joint review) could provide a comprehensive tool for demonstrating accoun-tability but its future is unclear, especially with regard to potential court challenges and the first annual review. In the end, it is the company’s responsibility to use these tools effectively and responsibly.

Simon HaniaVice President Privacy & Security, TomTom, The Netherlands

Designing mobile apps with privacy in mind

to opt-out of tracking or to pay instead of having advertisements is a service to the customer. An informed user will in fact even allow tra-cking for advertisements if they trust your company and business model. The maxim should not be ‘if you don’t want people to know what you are doing, maybe you should not be doing it in the first place’ but rather ‘if I, as a company, cannot explain my users why I am doing it, maybe I should not be doing it in the first place’.

23

Benjamin HayesChief Privacy Officer, Nielsen, USA

Kasey ChappelleGlobal Privacy Officer and Director of Commercial Compliance, American Express Global Business Travel, UK

Reducing the identifiability of data in online advertising and measurement to strengthen consumer privacy

Data relationships in B2B

Four different categories of data: personal data, pseudonymous data, anonymous data and aggregated/statistical data. The General Data Protection Regulation includes pseudonymous data and covers it under the same laws as personal data. Online advertising and measurement companies use pseudonymous data to tailor advertisements to users. Pseudonymous data is data which can identify a natural person. The data used by advertisers in their cookies include device ID, IP address and identifier. None of which can, on their own and without paying for it, be used by third parties to identify the individual. Additionally, the life span of the data-saving cookies is limited to months. Also, users can access their data through preference managers or globally opt-out of the tracking. These instruments are designed to remedy the consent problems from which all third parties suffer, since they do not have direct relationships with the users. Such a system of privacy-by-design ensures data protection while enabling advertisers to pursue their legitimate business interests.

When dealing in the Business-to-Business sector with issues such as vendor risk management or client on-boarding, one of the most important questions for Global Business Travel is whether they are a data processor or data controller. Both, the Data Protection Directive (in Art. 2 (d)) and the General Data Protection Regulation (in Art. 4 (7)) consider any entity which decides on the purposes and means of data processing to determine the data controller. Furthermore, this notion needs to be construed broadly so as to provide effective and complete protection of data subjects (Google Spain v AEPD). This already high-lights that in order to determine who is data controller and who is data processor, factual considerations take the lead. Contractual statements

as to the role of the different parties can conflict with the legal assess-ment of the situation, creating a problematic situation for all parties involved. When transferring data to vendors, a wealth of questions be-comes important regarding the vendor’s mechanisms and structures to protect data and process it within the requirements of the General Data Protection Regulation. At the end of the day, it is the data controller that takes on the liability and responsibility for data protection.

24

Kasey Chappelle, Global Privacy Officer and Director of Commercial Compliance, American Express Global Business Travel, UKUwe Fiedler, Chief Privacy Officer, Parexel International, GermanyFlorian Thoma, Senior Director Data Privacy, Accenture GmbH, Germany

Controller versus processor (Panel Discussion)

Thoma: The lines between controller and processor are blur-ring. Modern enterprises with multiple companies playing different roles or using platforms to exchange services will face this problem more frequently. Under the provisions of the General Data Protection Regulation, the distinction of controller vs. processor does not make sense.

Fiedler: Most of the data processed in pharmaceutical support services is anonymised data and yet this data is treated differently in all countries, sometimes as anonymous, sometimes pseudonymous and sometimes as sensitive data. Under pharmaceutical regulation laws, pharmaceutical manufacturers cannot assume control over the data. Between the client’s view (sole controller) and the Data Protection Authority’s view (joint controller) it is the task to the responsible Data Protection Officer to foster collaboration and find a solution.

Chappelle: Data protection law does not require data controllers or processors to present a privacy statement before receiving any type of information, so a ‘shell profile’ to start a new client with is usually followed by the statement when they enter their information.

Fiedler: Consent in clinical trials has much higher thresholds than ordinary data processing, thus obtaining the additional consent for pro-cessing is no problem. Joint data control would be more likely to be accepted if it was widely understood that control of the data does not require ownership of the data.

Thoma: While it might be new to some countries that data pro-cessors also have obligations under data protection law, this has always been the case in Germany. Most companies only have standard data processing agreements with their contract partner but only few have standard data controller agreements for joint data control.

25

Anna PouliouExecutive, Lead Attorney for European Privacy & Data Protection, GE Corporate, Belgium

Operationalizing Privacy by Design in a connected world

Despite its generally agreed importance, definitions of is ‘big data’ still vary. While some cases such as the ‘Hello Barbie’ make headlines, the issue encompasses so much more: From electric turbines, to smart grid and hospital equipment. In all these industries, data analytics can provide huge savings. Additionally, extra value for customers or the public can be created when smart medical equip-ments helps save lives, smart aeroplanes prevent crashes or public healthcare data can be analysed at universities. In the latter case, the data does not include the name of the patent but due to GE’s con-tracts with hospitals they still re-identify the patient based on physical criteria. With the internet of things, consent is a problem when no user interface is present. The alternative is a privacy-by-design approach. This will create an environment of trust which is important not only for regulators but for customers. Such an environment of trust must en-compass all areas of a business: From engineering, to support, marke-ting and legal. For such specialised services, data needs to be transfer-red internationally. Even in the business-to-business sector data from machine-to-machine communication can contain personal data and

thus needs to be protected. Since the end of the Safe Harbour agreement many tasks such as distance-maintenance have been greatly hindered and it has taken two democratic jurisdictions very long to agree on a new text. Other topics for the future will be the safety of robotics, standardisa-tion procedures across the EU and re-use of non-personal data.

26

Stefano FrattaLegal Director for Consumer Fintech and Big Data, Telefónica CCDO, Spain

Telefónica’s approach to Big Data: a telco in a digital world

Telecommunications providers have a wealth of information about their customers, starting with billing information to personal details (as per most countries’ laws) to all the data generated by the user. Most users (90%) keep their mobile phone within 1 meter of their person at all times. Telecommunications providers use this data traditionally in three different ways: to improve the services to customers, to improve the company’s internal efficiencies, and for extracting value from the data (either in the form of offering additional services to customers or by selling aggregated insights from anonymous data). Examples include travel-alerts when withdrawing money abroad, strengthening two-factor authentication through sim-swap prevention or credit-scoring in Latin America. Aggregated data is used after the individual datasets are anonymised, collected and results from this collection extrapola-ted. This data can be used to aid businesses (e.g. to get to know their customers better, how far they are willing to travel to buy something) or the public at larg (e.g. to coordinate refugees and relief workers after floods, disease outbreaks or other catastrophes. In order the process all of this data within the legal frameworks, most companies could rely on many different justifications. Telecommunications providers, however, can usually only rely on consent since additional requirements from the e-Privacy Directive leave little other options. These restricti-

ons do not apply to over-the-top service providers (e.g. WhatsApp, Skype, etc.). These companies have lower requirements to justify their data processing and frequently they have little other ways to gene-rating profit apart from utilising the data, unlike telecommunications providers which have paying customers. When obtaining the consent of telecommunications customers, the problem is not how to obtain the consent but what this consent encapsulates. It is essential to the concept of big data, that while collecting the data the processor does not know, yet, what for the data is going to be used. These problems can be overcome by using anonymous data but the determination when data is anonymous varies. Common to all definitions is, that the data subject may not be identified through the data but whether this applies only to ‘all the means likely to be used’ (Working Party 29), to re-identification through a ‘proportionate amount of time, expense, and labour – proportionate to what ? - (German interpretation) or ‘until the risk of re-identification is remote’ (UK ICO). Data Protection Authorities should hold companies accountable for breaches of data protection laws but not limit what they can do with said data. When deciding on the measures a Data Protection Authority past conduct and systematic weaknesses/safeguards should be considered.

27

Belinda Doshi, Chief Privacy Officer and Associate General Counsel, Pearson Group, UKStefano Fratta, Legal Director for Consumer Fintech and Big Data, Telefónica CCDO, SpainChristina Peters, Chief Privacy Officer, IBM Corporation, USAAnna Pouliou, Executive, Lead Attorney for European Privacy & Data Protection GE Belgium

The challenge of Big Data for data protection: how to enable responsible use of Big Data (Panel Discussion)

Doshi: Pearson utilises two different approaches to justify proces-sing big data: Consent and anonymisation of data. The real question is not which approach to chose but how to implement this in over 40 different jurisdictions.

Peters: The path our customers chose to justify processing big data is not given by us but we then help our customers achieve their goals. Even when consent is not appropriate, necessary or applicable, transparency remains important.

Fratta: Consent can be useful and is sometimes necessary but the main problem is how to develop one product for 27 countries with as little variation as possible.

Pouliou: In the realm of hospitals and medicare, obtaining con-sent is difficult but because of the abundance of regulation there are also only very limited options to shape the relationships. When the company then seeks advice from Data Protection Authorities, they tend to provide conflicting advises.

Wuermeling: When data processing is outsourced to the sub-contractors, the main processor needs to contractually establish that every sub-contractor is obliged to maintain the same level of data pro-tection as the main data processor.

Doshi: When deciding whether a specific information is perso-nal data, pseudonymous or anonymous data, the question of whose point of view shall be taken is a contentious one which is currently up for review before the European Court of Justice. If third parties are taken into account, eventually all data is personal data and neither pseudonymous nor anonymous data exists. The approach taken in the US and in the UK by the ICO (risk-based approach) are good in this regard. Within companies, Data Protection Officers need to consider the incentives of different actors and find a solution that is beneficial for the whole eco system.

Fratta: Which means are ‘likely to be used’ by customers to re-identify data subjects varies depending on the circumstances but as a general trend, customers get used to more and more detailed insights into data subjects and it is the company’s responsibility to draw the line and assess at which level the individual can be identified by the data buyer.

Pouliou: In the internet of things and future developments such as connected medical devices and personal devices connected to me-dical professionals, it is getting increasingly difficult for Data Protection Officers to work. In the future, the ethics of data protection will play a larger role. What are the points we, as society are not willing to cross and thus should be respected by companies.

28

Dr Anna Zeiter LL.M. (Stanford), Head of Data Protection EMEA, eBay International AG, SwitzerlandDr Axel Freiherr von dem Bussche LL.M., Partner, Taylor Wessing, Germany

The implementation of the GDPR in an international company illustrated by the example of eBay

Ms. Zeiter opened the session by introducing ebay’s multinational business and setting the frame for using ebay as an illustration of how to go about implementing the General Data Protection Regulation (GDPR). Most importantly, there needs to be a gap analysis between the old and the new law. Mr. von dem Bussche continued by making some general comments on the differences, namely, that the GDPR is not really new in large parts but rather an update on the existing rules, stricter enforcement and some new substantive elements. The good news is that the basic principles will remain the same. The bad news is that a lot of areas are not harmonized, e.g., the treatment of emplo-yee data (Art.88 GDPR). Furthermore, contrary to the initial intention, the GDPR does not really establish a “one stop shop”. Overall. the key driver of the new rules are the new sanctions. The presentation then focused on specific areas companies should look into and take action, including: (1) Date Mapping (Art. 30 GDPR), probably one of the biggest challenges. Ebay is currently working on a dynamic data mapping tool to facilitate the process. (2) Update of privacy notices. Art. 13, 14 and 21

para. 4 GDPR require quite substantial information to be provided to the data subjects. It will be challenging to implement all these require-ments in connected cars or IoT products. (3) Data subjects’ rights. Art. 16, 17 and 20 GDPR contain quite broad rights and, for example, the time frame to respond to data subject requests will be challenging. It may be that companies move towards automating their response to such requests where possible. Mr. von dem Bussche assumes that in combination with the ability of consumer agencies to bring claims for data protection violations, this will keep companies busy. (4) Consent mechanisms: It needs to be checked whether they still work under the GDPR. Probably companies will move towards using consent less as basis for their processing. (5) Data transfer: There are new concepts and the stakeholders need to find out how they work but this is current-ly music of the future. The privacy shield discussion is currently more interesting. The speakers closed by recommending next steps, in par-ticular carrying out internal communication and training and closely monitoring the implementation of the GDPR.

29

Orrie Dinstein, Global Privacy Leader, Marsh & McLennan Companies Inc., USANicola Hughes, Legal Counsel, Marsh EMEA, UK

Protection and disclosure: the challenges the GDPR presents to the insurance industry

The two speakers Orrie Dinstein and Nicola Hughes from Marsh & McLennan Comp. Inc. presented the challenges the GDPR raises for insurance companies. The speakers started by putting the spotlight on some commonalities as well as differences of data protection law and insurance law. Both regimes share the goal of protecting individuals and every individual in member states is affected by it in some way or the other, but while a fundamental principle of data protection law is data economy, i.e., the notion to process as little data as possible, an effective insurance system needs as many data as possible and insured are encouraged to disclose everything that could be relevant (e.g., age, income, recent injuries, previous surgery, medication etc.). The spea-kers then turned to five examples of special data protection problems relevant for the insurance industry, namely: (1) Consent. Some data is exchanged while the data subject is unconscious. Also, the data goes through so many hands before it eventually reaches the insurer that it is challenging to get consent. (2) Data retention. Insurance companies need to keep their data for a long time so that they can effectively cal-culate risks. (3) Risk profiling. The right not to be subject to decisions based solely on profiling causes challenges due to systematic profiling in the underwriting process. (4) Joint controllers. The line between pro-cessors and data controllers has almost become irrelevant under the

GDPR. A company may be data controller for one purpose and data processor for others. (5) Sensitive data. Not a single exception to the consent requirement in the GDPR applies to insurance companies, alt-hough a vast amount of sensitive data must be processed. After this summary of the consequences of the GDPR for insurance companies, the speakers focused on the future. While there is still hope that secon-dary legislation or national legislation might bring some relief, industry codes of conduct might be the path forward.

30

Sára HoffmanAssociate, Privacy and Data Protection Practice, Wilson Sonsini Goodrich & Rosati LLP, Belgium

ISO 27018: a legal vacuum filled by technical standards – the possibilities and dangers of over lapping technical standards and legal requirements for cloud service providers

The declared goal of Ms. Hoffman’s presentation – on a subject matter that may not be a typical data protection topic – was to provide the audience with “the right questions to ask your CSO”. Ms. Hoffman started with a general introduction to the standard setting bodies ISO and IEC and the ISO 27000-series. It is a group of standards including, in particular, data protection requirements. If there is no applicable pro-vision in a specific standard (e.g., ISO 27017), then one needs to go to a more general standard (ISO 27002 being the core one). ISO 27017, a specific standard for cloud computing, is the newest published stan-dard of the 27k series. After this general introduction, Ms. Hoffman turned specifically to the ISO 27018 standard, which is a code of prac-tice for the protection of personal identifiable information in public clouds acting as data processors. The standard has four main ob-jectives: (1) Compliance with legal and other obligations; (2) Increase transparency and show that it is a well-governed platform; (3) Lower transaction cost as the cloud processor can point to the certification and not spend much time on otherwise demonstrating compliance; (4) Enabling customer audits and compliance rights in a multi-party virtualized server environment (otherwise the exercise of such rights would be impractical). The speaker went on to talk about select ISO 27018 features, in particular specialized controls that are tailor-made to fit cloud service providers (e.g., consent and choice, data collection limitation, openness, transparency and notice, etc.). Turning to the legal takeaways of the presentation, Ms. Hoffman in pointed to the possi-bility of referencing ISO certifications in data processing agreements to verify the data processor’s reliability or in the description of the security measures. She closed by concluding that the ISO 27k family covers several GDPR compliance issues, technical and legal compliance measures and that companies should take advantage of these overlaps. Companies should also make use of the recognizable ISO brand to send a strong compliance signal.

and legal requirements for cloud service providers

31

Lauren ReidDirector of EU Privacy Solutions, Nymity, UK

Demonstrating compliance

Both Art. 5 para. 2 and Art. 24 para. 1 of the General Data Protection Regulation (GDPR) require data controllers to demonstrate data protec-tion compliance. How companies can fulfill this requirement was the theme of this session. The speaker started by distinguishing between the terms “compliance” and “accountability”. While you can be compliant by accident, you cannot be accountable by accident, therefore formalizing accountability with appropriate technical and organizational measures within the organization is a major step towards enabling compliance. Very useful papers have been published by data protection authorities around the world on accountability which give guidance on setting up an appropriate internal organization. Nymity has developed an accoun-tability approach to demonstrating compliance (the Nymity Privacy Management Accountability FrameworkTM) that has been used now for three years and comprises of three core elements: responsi-bility, ownership and evidence. Responsibility means: specific privacy management activities have been implemented and are maintained on an ongoing basis. Ownership means: each activity is allocated to a specific function or business unit as owner. Evidence means: Documentation is produced as a result of the privacy management activities that can be used as evidence of accountability and compli-ance, e.g., formalized policies and operating procedures, minutes of meetings, evidence of annual reviews etc. One of the recommendations was not to turn every person within the business into a compliance officer but rather focus on collecting information (i.e., do not ask “are you compliant” but rather “have you done this activity”). Demonstrating compliance is telling a story, which requires context (meaning contex-tualized evidence). The story is not “our privacy program is perfect” but rather “we have put processes in place that enable us to be compliant, i.e., if we would encounter a problem, it is unlikely that such problem is based on negligence or a systemic failure on our part”.

32

Ruth BoardmanCo-Head of Bird & Bird‘s International Data Protection Practice, Bird & Bird, UKDr Fabian NiemannPartner, Bird & Bird, Germany

Connected Cars – hit the road, privacy?

The speakers started by giving an overview of the legal issued sur-rounding connected cars such as cloud computing, big data, mobile apps, geolocation and internet of things. An interesting insight in the opening was that in the case of connected cars, data security turns into physical security. The presentation then focused on three specific issues, namely the relevant personal data, the relevant actors and their respec-tive ownership and rights, and the subsequent use of the collected data. As relevant data, GPS data (time, location, motion) and on-board diagnostics data (e.g., vehicle ID, speed, acceleration) were discussed, and in particular the concept of anonymized and pseudonymized data. The more controversial part of the presentation was the discus-sion of the relevant players and their respective ownership and rights. Data ownership is currently heavily debated. In case of connected cars, who owns the relevant data: the device creator, the device owner, or the person inputting the information? The question is relevant for va-rious reasons, such as: from whom do I need to obtain consent? In this regard, it is also too short-sighted to focus only on data protection law, a consent or license may also be required under civil or criminal law aspects, even if no personal data is involved. Other players include car manufacturers, garages, insurances, service providers, the police and courts. Except for the police and courts, if these players want to use

data they should diligently check the various legal aspects and, in case of doubt and if possible, have respective contractual arrangements in place. The last part of the presentation (on subsequent use) focused on Art. 6 para. 4 and Recital 50 of the General Data Protection Regulation. The speakers presented a useful chart guiding through the relevant questions when it comes to the subsequent use of data for a purpose other than that for which it was collected.

33

John BowmanSenior Principal, Promontory Financial Group (UK) LtdRobert GrosvenorDirector, Privacy & Data Protection Practice, Promontory Financial Group (UK) Ltd

Preparing for the GDPR: What you need to do, when you need to do it

The presentation was structured into five segments. First, the speakers posed the very pragmatic questions of what to do now. Their suggestion was to do the following: read the General Data Protection Regulation (GDPR); raise awareness of its significance wi-thin the organization (can you do an elevator pitch to the CEO?); identify key elements that will affect your organization (controller, processor, consent, data of children, profiling, transfer); develop a vision of the changed business and preferred outcomes and com-municate key messages (such as the new sanctions regime). The second step would be to initiate a GDPR change-program plan, i.e.: obtain a mandate from the decision makers; figure out how this program does or could align with other programs (such as the implementation of binding corporate rules); and identify strategic and critical questions for immediate considerations. One thought that was put forward during the session was to potentially appoint a specialized project manager for the GDPR change-program. The third portion of the presentation was addressing the issue of a “Mid-program check-point”, approximately mid of 2017. The GDPR implementation program

Mr. O’Brian started by looking back how 2015 saw global frame-works fall (the aftermath of the Snowden revelations; the European Court of Justice’s Google Spain ruling; the fall of Safe Harbor) and how 2016 sees new frameworks to replace them (the Privacy Shield; the General Data Protection Regulation (GDPR); upcoming changes in the privacy laws of Japan, Turkey, South Korea, China and Brazil; and the APEC Cross Border Privacy Rules (CBPR)). Organizations are having to navigate an increasingly complex and diverse global legal framework pertaining to their customer data policy, their employee data policy,

should be well developed and in motion now. Here, things that would need to be done are: assess progress against program activities and objectives; ensure stakeholder expectations align with program delivery; review risks and issues that may present obstacles to success; start to embed new operation capability; and monitor GDPR guidance, e.g., of the Article 29 Group. The fourth phase is the phase where full readiness for the GDPR is supposed to occur (until mid of 2018). Activities during this phase are: check completion of all activities against plans and suc-cess criteria; activate new policies and procedures ahead of GDPR go-live; record acceptance of outstanding risks and issues; and document all the change you have done to evidence the transition. During the presentation’s last part, the speakers closed by emphasizing that the participants need to get into the right mindset: „This is a big program which is not something you can do in addition to your day job“.

Ralph O’BrienPrincipal Consultant, EU, TRUSTe, UK

Global frameworks and local laws – assessing privacy risk in an evolving world

their marketing data policy, their public trust charter and their informa-tion security policy. However, organizations should see this time as an opportunity to choose how they want to develop and to bring forward all their business processes. Mr. O’Brian closed by looking optimistically at potential future global interoperability, e.g., through codes of con-duct under the GDPR and the APEC CBPRs.

34

Philippe RenaudièreData Protection Officer, European Commission

The role of DPOs in the new GDPR

The European Commission as a body of the European Union has applied stricter provisions to data protection even before the new General Data Protection Regulation. Regulation 45/2001 on the protec-tion of personal data in EU institutions and bodies has mandated that all of 930 processing operations within the EU commission were per-formed under strict observation of data protection principles. Every EU body appoints a Data Protection Officer for 5 years and a maximum of two terms. The Data Protection Officer with the European Commission is principally in the same position as any Data Protection Officer in a company. This means that also the new General Data Protection Regulation will be fully applicable to the European Commission. While having a Data Protection Officer is now mandatory (under certain circumstances), the role still provides flexibility. An officer can be shared by a group of enterprises and can be an external contractor. The Data Protection Officer needs to maintain in contact with the highest level of management of the company and with the relevant Data Protection Authority. The role requires the officer to be contacted whenever data protection issues arise, ideally at the beginning of the project to ensure implementation of Privacy-by-design and Data Protection Impact Assessments from the start. Individual data subjects must have the possibility to contact the Data Protection Officer. The regulated entity must provide sufficient support for their Data Protection Officers and respect the independence of this position. All in all, the role of a Data Protection Officer is thus threefold: to advise the management, to audit company procedures and to enforce data protection rules inter-nally. Key concept to achieving all this is accountability which he/she must also be able to demonstrate.

35

Hilary M. WandallAssociate Vice President, Compliance & Chief Privacy Officer Merck & Co. Inc., USA

Reflections on governance: insights from a dual CPO-CCO

When Merck & Co started a Data Protection Office in 2001 the main provisions where the Data Protection Directive, the just esta-blished Safe Harbour Agreement and healthcare-specific data pro-tection laws. This led to five main priorities: Establishing a global Data Protection Office, educate the company’s employees and developing core policies with regard to global data protection, safe harbour and internet priva3cy policy. Over the next few years, new general and sector-specific laws were introduced in many countries. Along with breach notifications and automated processes came the move to in-clude the data protection office into the compliance division which also enabled the Data Protection Officer to draw inspiration from other compliance regimes such as anti-bribery compliance and healthcare-

Contrary to popular belief, 70% of Latin American countries have data protection laws (even in their constitutions) based first on individuals’ right to be informed about data collection of public bodies and later were expanded to private entities as well. Starting in 2000, Argentina was the first country to adopt privacy laws, followed by Uruguay in 2008; a trend which then spread across the continent and now covers more than 200 million people. These laws are heavily inspired by the EU Data Protection Directive and especially its Spanish implementation and also envisage judicial protection for individuals. In an attempt to secure a safe path to adequacy, most countries have interpreted the underlying principles narrower than the ‘95 Directive. All these regimes are characterised by heavy reliance on consent with almost no country featuring a legitimate interest justification. Most countries also restrict foreign data transfers with an adequacy excepti-

specific compliance. Also structures such as individual complaint me-chanisms could be copied from the Chief Compliance Officer. While the structures and additional tools (for instance Binding Corporate Rules) are useful, they are only tool. At the very core of every compliance pro-gramme needs to be the values and principles of a company: Individual consideration, trust, prevention of harm and the spirit of the law. They reflect the general outlook of the company and their attributes such as trustworthiness, fairness, openness, transparency, responsibility and respect. From then on a risk methodology was developed to assess the sensitivity of the data and the associated risks. The same methodology is applied during vendor assessment. Rounding this system off, we con-duct annual reviews and certifications to ensure ongoing compliance.

Laura Juanes MicasAssistant General Counsel, International Privacy & Human Rights, Yahoo! Inc., USA

Privacy in Latin America – an overview

on but no country has developed a white list. While great uncertainties and little guidance from precedents exist, Latin American regulators are very open to feedback. Requirements on breach notifications vary from notifications only to the Data Protection Authority, to notifications to the individuals with a set deadline. Brazil, for instance, has no com-prehensive privacy law but instead sectoral approaches and a consti-tutional basis. Legislative attempts were changed at last minute due to revelations in connection with Edward Snowden. A comprehensive privacy law is still being constructed including data transfer clauses and extra-territoriality clauses but its implemented is uncertain as of now.

36

Steve Tan, Partner, Deputy Head Technology, Media, Telecommunications,Rajah & Tann Singapore LLP, Singapore

Data privacy law in the Asean Economic Community – the dawn of a new age

The Association of Southeast Asian nations (ASEAN) consists of 10 member states and comprises a total population of 622 million. At the end of 2015, ASEAN became a community based on three pillars: Economy (AEC), Political and Security and Socio-Cultural. Especially important to ASEAN’s thriving economy is e-commerce as a tool to level richer and poorer ASEAN countries. E-commerce, however, requires functioning data protection laws. The laws on data protection of the ASEAN member states still vary significantly: Singapore, Malaysia and the Philippines have overarching frameworks on data protection, Vietnam, Indonesia and Thailand only sectoral laws or drafts for com-prehensive laws and rest does not have data protection laws.

Singapore’s Personal Data Protection Act (“PDPA”) has extraterri-torial effect, civil fines up to 1 million and criminal liability for serious offences .

Malaysian data protection law only applies to commercial entities and is enforced either through fines of up to 110,000 € or 3 years impri-sonment.

The Data Privacy Act of the Philippines applies to entities which either use equipment in the Philippines or have and office/subsidiary there unless the data is originally collected abroad in accordance with the local law (‘call centre exception’). Fines can amount to 95,000 € or 6 years in prison.

Indonesia restricts data protection to data about Indonesian citi-zens and this is enforced with fines up to 67,000 € or one year imprison-ment. Additionally, sector-specific data protection law apply.

In Thailand, Vietnam or Brunei there is no overarching data protec-tion law but sectoral regulations with legislative processes to introduce more comprehensive laws.

Myanmar, Laos and Cambodia do not have overarching data pro-tection laws, no noteworthy sector-specific laws and no developments in this area.

AEC data protection laws should not be ignored by European and US companies since civil and criminal fines can be high, some countries legislations have extra-territorial effect and because they are constantly changing at the moment.

Chinese data protection law is very diverse, mostly bureaucracy-driven and still in its infancy. In this regard China is definitely different with its policies and goals. Data processing but also data protection is done, before the legal framework to do is put in place. This means that regulators rely on general clauses and learn ‘on the job’ to refine the regulations. The whole framework is designed for focus on the core interests: data security. Secrecy is the most advised strategy no-wadays. Still, the regulators encourage change as a way of promoting the economy because they see a chance for improvement. One of the milestones in Chinese case law was the anti-corruption lawsuit against GlaxoSmithKline. The former General Counsel of GSK had gotten infor-mation of an internal whistle-blower and hired an international investi-gation firm to find the leak. Unfortunately, this international investiga-tion firm had no license to conduct investigations in China (as almost no international investigation firm has). Another recent development is China’s emphasis on electronic data security for sensitive industries (such as healthcare or energy) including a provision to keep servers in China and maintain updated information databases on those servers. Also the flow of data across borders can be tricky in China and compa-nies have to be careful and conduct proper screening for compliance with information acts and secrecy statutes, especially when dealing with state-owned enterprises. Even more caution is warranted when dealing with state interest-related sensitive information, for instance when the Chinese board members of a Joint Venture have to forward some of the mutual information. Also the classical topic of personal data has increased in China recently for two main reasons: Firstly, data privacy is deeply linked to data security and second, Chinese employ-ment law is progressive in that it provides a wealth of rights to emplo-yees. This plays a major role when for instance internal investigations also access devices where personal data of the employee is held.

Leon C.G. LiuPartner, Attorney at Law, MWE China Law Offices, China

Appropriately address your data-related concerns in China

37

Ksenia KorolevaLawyer, Latham & Watkins LLP Moscow, Russia

New Russian laws on data localization

The three main highlights of Russian data protection law are: 1. Data localisation laws 2. bundled legislation regarding strict consent for data processing 3. the right to be forgotten.

In 2015, amendments to the Russian Personal Data Protection Law and the Russian Information Law entered into force. Among the changes where regulations on data localisation, i.e. that databases with specific types of personal data about Russian citizens may not be stored abroad. This requirement cannot be waived through the individual’s consent. However, this only regulates that the Russian database should be the database of first record and must be kept up to date and first be updated. Restricting cross- border data transfers is not the goal of these

In 2015 the European Court of Justice declared the adequacy decision regarding the Safe Harbour agreement of 2000 invalid. A major role in this played the revelations of Edward Snowden in 2013. Immediately after the judgement, many companies faced great uncer-tainty. Many quickly adopted model contracts while hoping for the EU and US to quickly agree on the EU-US Privacy Shield, which is not yet adopted but has already been criticised by the Article 29 Working Party report. The main principles are similar to the Safe Harbour agreement and rely on self-certification. The requirements for a privacy notice are explained in more detail as in the Safe Harbour agreement. Onward transfers to third parties must now be based on an onward-transfer agreement. The primary data controller will be liable for non-compli-ance through third parties unless it can reverse the burden of proof to exonerate itself. One of the key changes is the complaint handling me-chanism. Various venues of complaining are open to EU citizens such as to the Ombudsperson, through Alternative Dispute Resolution, arbitra-

changes but to ensure up-to-date Russian databases. There are certain exceptions especially for international treaties and government access to data. These regulations can have extra-territorial effect if the data collecting company uses a Russian domain name (.ru/.su/etc) or if there is a Russian language version of the website and it either accepts RUB as payment or there are links/advertisements in Russian on the web-site. Foreign Back-ups are not prohibited by the law. Non-compliance with this law can ensue administrative fines, professional penalties and restrictions on the access to the website.

Laura De BoelSenior Associate, Privacy and Data Protection Practice Avocat/Advocaat, Member of the Brussels Bar, Wilson Sonsini Goodrich & Rosati, LLP

EU-US Privacy Shield:

tion or before court. At the core of the changes, however, was the issue of national security access and processing. The EU-US Privacy Shield now includes assurances from the US that data transferred to the US will not be subject to mass surveillance. The Article 20 Working Party clarified that the standard set by the Court of Justice of the European Union is high but its exact threshold cannot be determined without further guidance. In its conclusion, the Article 20 Working Party found that several aspects of the EU-US Privacy Shield might not meet the standard set out by the European Court of Justice. The principles of the Shield should be better aligned with the EU rules so as to not lower the data protection standard enjoyed by EU citizens. In the meantime, the Article 20 Working Party confirmed, companies could still use model contracts and Binding Corporate Rules which are not affected by the Schrems judgement and still valid.

Impressum:

EUROFORUM,Prinzenallee 3, 40549 DüsseldorfV.i.S.d.P. Elke Schneider

SAVE THE DATE15th & 16th MAY 2017

VIDEO IMPRESSIONSwww.edpd-conference.com/edpd16-video-recap

#edpd17

www.edpd-conference.com

6th EDPD 2016 - DPO Network · 6th EDPD 2016 Enduring values and sustainable solutions: The GDPR as...

Documents

Transcript of 6th EDPD 2016 - DPO Network · 6th EDPD 2016 Enduring values and sustainable solutions: The GDPR as...